CYBER SECURITY INCIDENT RESPONSE

Identify, Evaluate, Remediate

Detecting a cyber attack quickly, responding effectively and learning lessons from the incident are fundamental principles of a robust – and compliant – cyber security strategy.

However, few organisations’ incident response mechanisms have kept pace with the prevalence and sophistication of modern cybercrime or the evolution of data governance regulations, such as the EU General Data Protection Regulation (GDPR) or similar federal laws across the US.

Effective cyber security incident response (CSIR) requires a combination of digital forensics, business continuity and information security management procedures. With the right measures in place, you are more likely to detect attacks quickly (while they are still underway), minimise their impact, mitigate your risk – and meet regulatory requirements.

What we do

We support our clients through every stage of incident management and response, including:

  • Preparedness assessments
  • Regulatory guidance
  • Cyber Security Incident Response (CSIR) plans
  • Practical support during a cyber attack
  • Post-incident consultancy
  • Forensic investigation in the wake of an attack

what is 8 Types of Security Incidents?

There are various types of security incidents that organisations may encounter, each with its own unique characteristics and potential impact. Here are eight common types of security incidents:

  • Malicious software (malware) infects systems, causing damage or unauthorized access.
  • Examples: Viruses, worms, Trojans, ransomware, spyware.
    • Attackers gain unauthorised access to systems, networks, or data.
    • Examples: Brute force attacks, password cracking, privilege escalation.
    • Sensitive or confidential data is accessed, stolen, or exposed without authorisation.
    • Examples: Personal information, financial data, intellectual property theft.
    • Attackers manipulate individuals into revealing sensitive information, clicking malicious links, or performing actions that compromise security.
    • Examples: Phishing emails, spear phishing, pretexting, baiting.
  • Attackers overwhelm systems or networks to disrupt service availability, rendering them inaccessible to users.
  • Examples: Flood attacks, Distributed DoS (DDoS) attacks.
  •  
    • Employees, contractors, or other trusted individuals misuse their access to compromise security.
    • Examples: Data theft, unauthorized access, sabotage.
  • Unauthorised individuals gain physical access to restricted areas, equipment, or facilities.
  • Examples: Tailgating, unauthorised entry, theft of physical assets.
  • Weaknesses in software, systems, or network configurations are exploited by attackers.
  • Examples: Exploiting unpatched vulnerabilities, misconfigured databases.

The 6 Stages of the Incident Response Lifecycle as Defined by SANS

Untitled-design-18.png

Preparation

  • This involves creating and maintaining an incident response policy, assembling a dedicated incident response team, defining roles and responsibilities, and establishing communication channels both within the team and with external stakeholders.
Untitled-design-25.png

Identification

The incident response team works to identify potential security incidents or breaches. This includes gathering data from various sources such as intrusion detection systems, logs, network traffic analysis, and reports from users. The team analyses this data to determine if there are any anomalies or indicators of compromise. The goal is to detect incidents as early as possible to minimise potential damage.

Untitled-design-26.png

Containment

Once an incident is confirmed, the focus shifts to containing the impact and preventing further damage. Containment involves isolating affected systems, restricting access, and implementing temporary solutions to prevent the incident from spreading.

Untitled-design-27.png

Eradication

In this phase, the team works to eliminate the root cause of the incident. This often involves a thorough investigation to identify how the attacker gained access, what vulnerabilities were exploited, and what malware or malicious activities were involved. The team then develops a strategy to remove the attacker’s presence from the affected systems and implements necessary security patches or configuration changes to prevent similar incidents in the future.

Untitled-design-28.png

Recovery

After the threat is neutralised, the focus shifts to recovering affected systems and returning them to normal operation. This may involve restoring data from backups, verifying the integrity of systems, and ensuring that the systems are functioning as intended. The recovery process aims to minimise downtime and restore normal business operations as quickly as possible while ensuring that the systems are secure.

eport.png

Lessons Learned

The incident response team conducts a thorough post-incident analysis to understand what worked well and what could be done better. This includes evaluating the effectiveness of the response, communication, and coordination, as well as assessing the overall impact of the incident on the organisation. The insights gained from this phase are used to update incident response plans, refine security measures, and enhance the organisation’s overall cybersecurity posture.

Untitled-design-18.png

Preparation

  • This involves creating and maintaining an incident response policy, assembling a dedicated incident response team, defining roles and responsibilities, and establishing communication channels both within the team and with external stakeholders.
Untitled-design-25.png

Identification

The incident response team works to identify potential security incidents or breaches. This includes gathering data from various sources such as intrusion detection systems, logs, network traffic analysis, and reports from users. The team analyses this data to determine if there are any anomalies or indicators of compromise. The goal is to detect incidents as early as possible to minimise potential damage.

Untitled-design-26.png

Containment

Once an incident is confirmed, the focus shifts to containing the impact and preventing further damage. Containment involves isolating affected systems, restricting access, and implementing temporary solutions to prevent the incident from spreading.

Untitled-design-27.png

Eradication

  1. In this phase, the team works to eliminate the root cause of the incident. This often involves a thorough investigation to identify how the attacker gained access, what vulnerabilities were exploited, and what malware or malicious activities were involved. The team then develops a strategy to remove the attacker’s presence from the affected systems and implements necessary security patches or configuration changes to prevent similar incidents in the future.

Untitled-design-28.png

Recovery

After the threat is neutralised, the focus shifts to recovering affected systems and returning them to normal operation. This may involve restoring data from backups, verifying the integrity of systems, and ensuring that the systems are functioning as intended. The recovery process aims to minimise downtime and restore normal business operations as quickly as possible while ensuring that the systems are secure.

eport.png

Lessons Learned

The incident response team conducts a thorough post-incident analysis to understand what worked well and what could be done better. This includes evaluating the effectiveness of the response, communication, and coordination, as well as assessing the overall impact of the incident on the organisation. The insights gained from this phase are used to update incident response plans, refine security measures, and enhance the organisation’s overall cybersecurity posture.

HOW WE WORK

We deliver the whole spectrum of cyber security services, from long-term, enterprise wide strategy and implementation projects to single penetration tests.

Our team works with you to identify and assess your organisation’s vulnerabilities, define enterprise-wide goals, and advise how best to achieve them.

Our recommendations are clear, concise, pragmatic and tailored to your organisation.

Independent, unbiased, personalised – this is how we define our services. We guide you to spend wisely and invest in change efficiently.

Find out how we can help with your cyber challenge

dISCOVER OUR LATEST RESEARCH

ICS-SCADA-REMOTE-ACCESS

The Growing Cybersecurity Risks of AI and Mitigations: External and Internal Threats

As artificial intelligence (AI) continues to advance and permeate various industries, it brings about significant benefits and transformative capabilities. However, along with its tremendous potential, AI could also impact organisations’ cyber risk profile by introducing new risks which have not been previously considered. In this article, we will explore the growing threats associated with AI, […]
Data-Classification-

How to classify sensitive data within your organisation (2/2)

In this second part of our two-part blog we will discuss the requirements to correctly classify your data. Following on from part one once the identification and classification of your data has been completed you need to focus upon data handling. Establish Data Handling Requirements There are numerous forms of technical, operational and management controls […]
sensitive-data-GDPR

How to classify sensitive data within your organisation (1/2)

A crucial first step towards ensuring your data is secure is to identify and classify your information assets. Without considering these tasks you will neither know where your assets are nor how to keep them secure. Information · which assets are more valuable than others · which assets require additional security controls Failure to classify […]